[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-talk] Wired Story on Uncovering Users of Hidden Services.
A recent story in Wired is entitled "Visit the Wrong Website and the FBI
Could End Up in Your Computer" by Kevin Poulsen
(http://www.wired.com/2014/08/operation_torpedo/). The story involves
the FBI uncovering the IP addresses of numerous users of a Tor hidden
I know this was mentioned previously
but I am interested in a different aspect.
Within the story, there is a link to a PDF of an application for a
which provides illuminating reading (parts are a bit disgusting as they
refer to the content of the hidden service which was serving child
In short, the FBI arrested the owner of the hidden service, took over
the server, then installed a "Network Investigative Technique" (malware)
which collected the IP of visitors. See pages 31-33 of the PDF
If it's possible for the owner of a hidden service (whether the FBI or a
regular person) to install malware which grabs visitors' IPs, then what
is stopping any hidden service owner from doing this?
The Wired article states that "In a two-week period, the FBI collected
IP addresses, hardware MAC addresses (a unique hardware identifier for
the computerâs network or Wi-Fi card) and Windows hostnames on at least
25 visitors to the sites. Subpoenas to ISPs produced home addresses and
subscriber names, and in April 2013, five months after the NIT
deployment, the bureau staged coordinated raids around the country."
However, in the affidavit, I'm not sure that MAC addresses are
Considering the number of individuals that must have visited the hidden
service, this doesn't seem to be very many people. Why were so few
identified? Were the 25 using outdated browsers (TBB)?
How, in this case, was it possible for the FBI to learn the IP addresses
of visitors to this hidden service? The Tor hidden server page states
that "In general, the complete connection between client and hidden
service consists of 6 relays: 3 of them were picked by the client with
the third being the rendezvous point and the other 3 were picked by the
Can someone knowledgeable please explain how visitors to a Tor hidden
service can have their real IPs detected?
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to